From owner-freebsd-questions@FreeBSD.ORG Fri Apr 13 14:01:06 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BFB5316A402 for ; Fri, 13 Apr 2007 14:01:06 +0000 (UTC) (envelope-from tlt@tltodd.com) Received: from tltodd.com (tltodd.com [64.80.250.209]) by mx1.freebsd.org (Postfix) with ESMTP id 05B1213C4BA for ; Fri, 13 Apr 2007 14:00:41 +0000 (UTC) (envelope-from tlt@tltodd.com) Received: (from tlt@localhost) by tltodd.com (8.9.3/8.9.3) id IAA15503; Fri, 13 Apr 2007 08:57:15 -0500 (CDT) (envelope-from tlt) Date: Fri, 13 Apr 2007 08:57:15 -0500 From: Terry Todd To: Jonathan McKeown Message-ID: <20070413085715.B15209@badger.tltodd.com> References: <20070403105841.A98763@badger.tltodd.com> <200704051620.22407.jonathan@hst.org.za> <20070412135824.A82713@badger.tltodd.com> <200704130928.05581.jonathan@hst.org.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200704130928.05581.jonathan@hst.org.za>; from jonathan@hst.org.za on Fri, Apr 13, 2007 at 09:28:05AM +0200 Cc: freebsd-questions@freebsd.org Subject: Re: ipfw fwd not working in 6.2-release X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2007 14:01:06 -0000 On Fri, Apr 13, 2007 at 09:28:05AM +0200, Jonathan McKeown wrote: > [Reordered, freebsd-questions re-added] > On Thursday 12 April 2007 20:58, Terry Todd wrote: > > On Thu, Apr 05, 2007 at 04:20:22PM +0200, Jonathan McKeown wrote: > > > On Thursday 05 April 2007 16:01, Jonathan McKeown wrote: > > > > > On Thursday 05 April 2007 15:42, Terry Todd wrote: > > > > > > [ipfw not accepting fwd rules when kernel built with > > > options IPFIREWALL_FORWARD > > > and I agreed, saying] > > > > > > > Has the way ipfw.ko is built changed? Do we need to compile ipfw into > > > > the kernel to use ipfw fwd rules now? Or can I force ipfw.ko to be > > > > rebuilt with forwarding included? > > > > > > I'm on my way home now, but a quick look at the source suggests that > > > unless ipfw.ko is built with this option set, rule-based forwarding is > > > disabled - and indeed this message appears in my boot messages. > > > > > > Presumably the option is not fed to the module during a buildkernel. > > > > > > I'm going to try building just that module with the option set. > > > > Have you made any progress on this? > > > > Thanks, > > I must admit I gave up on rebuilding the module. My rationale for using > ipfw.ko rather than options IPFIREWALL was to reduce the number of custom > kernels I run (I have several servers throughout South Africa and in London, > with a central build system). It dawned on me that if I'm using options > IPFIREWALL_FORWARD I'm already building a custom kernel anyway, so I might as > well add options IPFIREWALL as well. > > That worked. > > The alternative seems to be to edit the Makefile for ipfw - which I didn't > want to do as I'm building multiple kernels for multiple machines on my build > box. If you're building one kernel on the box it's going to be installed on, > it looks to me as though the place to start is /sys/modules/ipfw/Makefile, > which I'm quoting in its entirety as it's a short file: > > ======== > # $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.21.2.2 2006/09/19 15:45:21 csjp > Exp $ > > .PATH: ${.CURDIR}/../../netinet > > KMOD= ipfw > SRCS= ip_fw2.c ip_fw_pfil.c > SRCS+= opt_inet6.h opt_ipsec.h opt_mac.h > > CFLAGS+= -DIPFIREWALL > # > #If you want it verbose > #CFLAGS+= -DIPFIREWALL_VERBOSE > #CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100 > # > #If you want it to pass all packets by default > #CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT > # > > .if !defined(KERNBUILDDIR) > .if !defined(NO_INET6) > opt_inet6.h: > echo "#define INET6 1" > ${.TARGET} > .endif > .endif > > .include > ======== > > It looks as though you would need to add > CFLAGS += -DIPFIREWALL_FORWARD > > to build an ipfw.ko which supports forward rules. You can see quickly whether > you have succeeded, as ipfw (built-in or loaded as module) puts a line into > your boot messages which tells you whether ``rule-based forwarding'' is > enabled or disabled. > > This may be more of a question for -hackers than -questions, but I'd be > interested to know why modules ignore kernel options and whether there's any > way to change or override that. > > Jonathan To summarize. adding both lines: options IPFIREWALL options IPFIREWALL_FORWARD works adding just the one line: options IPFIREWALL_FORWARD does not work. Thanks, very much. Terry Todd